PHP-General - Trouble with delete_product.php

Been working for hours on this and I just can't seem to figure it out. Here is the delete_product file:


And here is the INDEX that I'm trying to delete a row from when the user hits the delete button.



I have an error on line 6 of delete_product =undefined variable. I just don't know what to put there, any help is appreciated. Thanks.

Hi,

first of all, you have a massive security whole there. Since you don't do any authentication (as far as I can tell) and directly inject the POST parameter into the query string, everybody can delete the whole products table just by sending a POST request to delete_product.php with

as the "product_id" parameter.

That's obviously a very bad idea. First of all, add authentication (if it isn't already there). Secondy, always escape database input values or use prepared statements. This makes sure that the values are actually interpreted as data so that they cannot be used to manipulate the query.

As to your original question: The variable $product_Code must be defined somewhere before you can use it. And that's what PHP is telling you.

Judging from your HTML form, you probably want to pull the parameter "product_id" from the POST data. So do it:



And then escape it or pass it to the prepared statement.

The DB is for a school assignment, we are having to build the forms from scratch so for security I'm not worried about for this particular project. I just have to develop forms to get the database functional. I have the data pulling from the table correctly, I just can't get the delete button to delete the correlating row. Sorry for my ignorance, only been using PHP for a couple of months but I don't understand what you are meaning by "escaping it or passing it". Also, the "product_id" I originally had that in my form under the delete command, but there's no "product_id" in this table, so I thought I didn't need it and I would instead use the productCode which is the primary key. Thanks for the reply. I will try to insert the line you gave me and read a little more but any further explanation would be great.

Unless this is a pure fun project for you to play around in PHP a bit, security is a part of the application. It doesn't matter if you actually need it in this specific case. It's necessary for the code to be correct.

Otherwise it's like teaching people how to drive, but the car has no brakes, because "you don't need them" on the training course.





When you simply insert strings in a query without any preparations, there's obviously a danger of the strings being interpreted as actual SQL commands (instead of plain data). This allows users to manipulate the queries -- see the example above.

So you have to make sure that this doesn't happen. There are basically two ways:

You can manually wrap every value in quotes and escape it. Escaping means that certain characters are devaluated and turned into literal characters (by prepending a backslash). For example, the quotes must be devaluated to prevent the user from "breaking out" of the value quotes and being able to inject SQL commands.

The second way, which is more modern and secure, consists of using prepared statements. Those are a kind of "query templates" with placeholders for values. Instead of building a query string, you create a prepared statement, pass the values to it and then execute the statement. This way the values will never be interpreted as SQL but only as pure data.

See the PHP article or Wikipedia on SQL injections.

PHP supports both approaches. But how exactly they work depends on how you interact with your database.





In any case, you need to define a variable before you can use it.

PHP did have a "feature" some time ago that would automatically put the request parameters into variables. But that's horribly insecure and has long been abolished. Maybe that's where you got the idea from?

I think last time you posted we determined that $db was an instance of PDO. That means the following should work and be secure at the same time:



In this case, :product_id is an arbitrary token that I insert into the SQL query as a place-holder for some unsafe value that I wish to use as part of the query. I could have called this anything, like :asdufdioer, but :product_id makes sense. It has no connection to the fact that the value I want to use is stored in $_POST['product_id'] though.

The second argument to exec is an array of such place-holders, with the array index equal to the place-holder and the element value equal to the unsafe value that you wish to be substituted into that query in place of the place-holder.

In this case, $_POST['product_id'] contains the unsafe value that you want to use. $_POST because your <form>'s method="post" and 'product_id' because your <input>'s name="product_id".

I tried placing that line of code in the delete_product file and I received an error. Not sure if this is where you suggested putting that line of code but it was what I took from it.

( ! ) Warning: PDO::exec() expects exactly 1 parameter, 2 given in C:\xampp\htdocs\tech_support\product_manager\delete_product.php on line 10
Call Stack
# Time Memory Function Location
1 0.0004 328536 {main}( ) ..\delete_product.php:0
2 0.0023 330168 PDO->exec( ) ..\delete_product.php:10

Bah, I screwed that example;

That's the error I received that time. I'm just completely lost on this now. I thought it was something simple, but after having worked on it the past 4 days I'm just completely dumbfounded. Again, I appreciate all the help and advice but it's just not computing with me. I've read the book over and over, for what I need to know at this point any how and it just doesn't make sense. I read it, and then practice it and it still doesn't work.

Have you forgotten the require()? Because $db not being defined is a pretty sure sign that your database script isn't included.

It's there. The row is never deleted after the button click though.

delete_product.php
And here is the index.php that I'm running. I can't pinpoint what I've done wrong here.

Um, there's no "prepare()" at all, you've somehow gone back to your very first variant. What's your actual code that produces the error message you were talking about?

I'm in class now and no one can figure out as to why the delete button is not deleting the actual row. Here's the index.php and delete_product.php.

index:

Delete_product:

sorry for all the hassle and ignorant posts, but I'm stuck at this point and no one can figure it out.

The problem is that you keep changing your code without giving us the current version, and it gets worse every time. Now you don't even execute the query.

Please go back to E-Oreo's code. It seems you just copied and pasted it over your old code so that the database script wasn't included any longer. That of course doesn't work. You need to replace only your query stuff: